Symmetric block cipher is designed for the purpose of protecting electronic data. A block cipher allows encryption of a single data block of the cipher's block length. When data length is longer than the block length, the data has to be partitioned into separate cipher blocks. Thus, encryption methods that make it possible to conceal data of which the length is longer than the block length by using a symmetric block cipher encryption algorithm and encryption methods for generating an authentication code that can be used for detecting tampering of original data are developed. Such encryption methods that are useful for various applications and are based on a symmetric block cipher are called the “Block Cipher Mode of Operation”.
The Block Cipher Mode of Operation “XTS”, which is applied to data stored in a storage device, is disclosed in a publication by the Institute of Electrical and Electronic Engineers (IEEE) P1619-Std-2007. Further, the Block Cipher Mode of Operation disclosed in IEEE P1619-Std-2007 is adopted as SP-800-38E (the Xor-Encrypt-Xor [=XEX]-based Tweaked CodeBook mode with CTS (known as the XTS mode)) in the U.S. Government Federal Information Processing Standards (FIPS) PUB SP800-38 series that defines the Block Cipher Mode of Operation.
The symmetric key cipher is designed so as to encrypt data having the block length by performing an operation thereon. Thus, the encryption is performed on each of blocks of input data obtained by dividing encryption target data into sections each having the block length. When the length of the target data is not equal to an integral multiple of the block length, the length of the last block of partitioned data is shorter than the block length. In the XTS mode, an operation method called CipherText Stealing (CTS), which is proposed by Request for Comments (RFC) 2040, is used so as to encrypt the last data that is shorter than the block length.
According to the operation of CTS, however, a dependency relationship arises between the operation of the shorter data and the operation is performed immediately before the last data that is shorter than the block length. Thus, unless the encryption of the data having the block length is completed, the next operation on the data that is shorter than the block length cannot be started.
As a result, When blocks of input data are encrypted in parallel while using a plurality of cryptographic cores, the cryptographic core to which the data that is shorter than the block length is assigned will be in a waiting state, until the process of the cryptographic cores to which the block data are assigned are finished up the predetermined stage in CTS. In that situation, the encryption is not performed in parallel and the performance is declined.